Ministry of Finance

Internal Audit Department

Internal Audit Department

Good Practice Guide:
Developing an Internal Audit Strategy

Funded by: Supported by: Linpico

EUROPEAN UNION

April 2018

1|Page
Contents
Introduction Page
Chapter 1 Overview on the Internal Audit Strategy
Chapter 2 Fundamentals for developing an Internal Audit Strategy
Chapter 3 Identifying audit coverage (the audit universe)
Chapter 4 Risk assessing the audit universe
Chapter 5 The Audit Toolbox
Chapter 6 Identifying and procuring skills and resources
Chapter 7 Quality Assurance
Chapter 8 Finalising, submitting and selling the strategy
Chapter 9 Review of the Internal Audit Strategic Plan
Annex A Operational Procedure: Strategic Audit Planning
Annex B Operational Procedure: Strategic Planning – Management
Input
Annex C Template: Strategic Audit Plan

The guide has been developed by the Internal Audit Directorate

MOFED. Suggestions for improvements to the guide are very welcome
and should be addressed to IAD MOFED.

2|Page
INTRODUCTION
Internal audit planning by the Internal Audit Unit (IAU) for the MDAs is
structured at three levels:

 Three-year strategic internal audit plan.

 Annual Internal Audit Plan.
 Internal Audit Assignment Plan.

The strategic audit plan is the high-level concept of how the internal audit
service will be delivered, and the focus of this Guide is on developing the
three-year strategic internal audit plan.

A systematic and structured process can be used to develop the internal audit
strategic plan, helping to enable the internal audit activity to achieve its vision
and mission.

This guide aims to highlight the range of specific considerations that should
assist the Head Internal Audit Unit (HIAU) to develop a three-year internal
audit strategy relevant to their MDA.

This guide does not set out a “model strategy”; because each MDA is unique,
its risk management, control and governance is unique, and the internal audit
strategy is unique. However, the use of this guide should allow an HIAU to
ensure that they give attention to the key elements of an effective internal
audit strategy.

This guide focuses on strategy for delivering assurance to the principal

stakeholders i.e. the Minister, Board (where one exists), Vote Controller and
Audit Committee within the MDA.

The structure of the guide is as follows:

 Chapters 1 to 9 outline better practice considerations in developing and

maintaining an internal audit strategy relevant to the MDA
 Annexes A & B provide operational procedures with a structure to the
development of the internal audit strategy, and
 Annex C is a model template for an Internal Audit Strategy to assist
HIAUs in consolidating the results of the strategy development.

3|Page
 1. Overview of the Audit Strategy
For an internal audit function to remain relevant, it should adapt to changing
expectations and maintain alignment with the objectives of the MDA. The
internal audit strategy is fundamental to remaining relevant — playing an
important role in achieving the balance between cost and value, while making
meaningful contributions to the MDA’s overall governance, risk management,
and internal controls.

The purpose of the audit strategy is to put in place a strategic approach that
will allow the Head of Internal Audit Unit to manage the audit unit in a way
that will facilitate:

The provision to the principal stakeholders an overall opinion each year on the:

 MDA’s risk management, control and governance arrangements.

 Audit of the organisation’s risk management, control and governance
through periodic audit plans in a way that affords suitable priority to the
MDAs objectives and risks.
 Improvement of the MDA’s risk management, control and governance
by providing line management with recommendations arising from audit
work.
 The identification of audit resources which “are appropriate, sufficient
and effectively deployed to achieve the approved plan” as defined in the
Sierra Leone Public Sector Internal Audit Standards.
 Effective co-operation with external auditors and other review bodies
functioning within the MDA.
 Provision of both assurance and consultancy services by internal audit.

The documented audit strategy should set out, at any point in time:

 The extent to which internal audit can rely on the MDA’s risk analysis.
 Where the MDA risk analysis is not reliable, or not sufficiently well
established within the MDA, then the HIAU will have to undertake
his/her own risk assessment.
 The elements of the risk analysis which are regarded as essential for
annual audit review to provide a positive, reasonable assurance to the
principal stakeholders

4|Page
  The further coverage of the risk analysis that is necessary to provide a
positive reasonable assurance and to meet the specified assurance
requirements of the principal stakeholders.
 The areas of change in the organisation that are being subjected to
systems development audit.
 The range of approaches which internal audit plans to deploy.
 The assessment of resources required to deliver the audit assurance,
including identification of specialist skills that may be required.
 The way in which internal audit and specialist resources will be
procured.
 The approach to training and continuing professional development of
internal audit staff to ensure that they are suitably skilled to deliver the
internal audit service.
 How the internal audit service will measure its performance, Quality
Assure itself, and seek continuous improvement
 Risks that the audit unit itself faces in delivering the strategy and plans
for controlling these risks.

The HIAU must agree the strategy and periodic plans with the principal
stakeholders, ensuring that internal audit’s plans, resource requirements and
any significant interim changes are appropriately communicated to the
principal stakeholders.

Once the strategy is agreed within the MDA a copy should be sent to the
Director IAD MOFED. The Director has overall responsibility for internal audit
within MDAs and this includes a responsibility to ensure that internal audit
strategies follow the processes in this guide, and are also consistent with the
Sierra Leone Public Sector Internal Audit Standards.

Importantly developing an internal audit strategy is not an exact science and

is much dependent upon the internal audit expertise, experience and
professional judgement of the HIAU.

5|Page
 2. Fundamentals for developing
the Audit Strategy
There are several fundamentals for developing the internal audit strategy:

• A thorough understanding of the MDA’s objectives and performance

targets.
• If exists. An understanding of the MDAs risk analysis procedures, including
the risk priorities of the MDAs and the allocation of ownership of key risks.
• A thorough understanding of the MDAs management structures and roles
and the organisational structures.
• A thorough understanding of the priorities of the principal stakeholders. The
HIAUs should regularly have sight of Board minutes and changes to key
documents such as the MDAs Strategy.

MDAs Risk Assessment is in place

Where a complete management analysis of risk is in place within an MDA,

internal audit should undertake preliminary work to ascertain the reliability
that the HIAU can place on it in relation to developing the internal audit
strategy.

Reviewing the MDAs risk analysis serves two purposes:

 It provides the principal stakeholders with an opinion about the

organisations own strategic approach to the analysis of risk.
 It provides internal audit with assurance that the risk analysis is a sound
basis for planning an internal audit strategy.

This risk management review by internal audit should seek evidence of the
following risk management characteristics:

• The completeness of management’s risk identification process.

• The identification of appropriate criteria for the evaluation of risk in respect
of both impact and likelihood.
• The appropriate application of these criteria to the identified risks.
• Appropriate consequent prioritisation of risks and identification of key risks.
• Appropriate relationship between organisational objectives and prioritised

6|Page
risks.
• Assignment of ownership of risks at an appropriate level which has authority
to assign resources in responding to the risks.
• The regular review / revision of the risk analysis.

If the HIAU is not satisfied with any of the above, the issues identified should
be discussed with the principal stakeholders to try to resolve the issues.

When the MDA does not have an adequate risk assessment

When a complete management analysis of risk is not in place, internal audit

should first consider what help management needs to develop an appropriate
analysis and how this would help the audit process.

Without an adequate management risk analysis, it will then be necessary for

the HIAU to develop his/her own analysis of risk to facilitate the preparation of
an audit strategy.

7|Page
 3. Identifying Audit Coverage
(Audit Universe)
The next stage in developing the audit strategy is consideration of the
coverage of the risk management, control and governance that is required to
provide the principal stakeholders with an opinion.

The HIAU is responsible for developing a risk-based plan, considering the

MDA’s risk management framework. The internal audit plan must be based
upon a documented risk assessment, updated at least annually, and take
account of the input from the Minister, Vote Controller, MDA’s senior
management, the board (where one exists) and the Audit Committee.

Consideration of the coverage necessary should take into account the

organisation’s goals and the risk exposures relating to all the MDA’s activities
and operations it will not be necessary to audit every aspect of risk, control
and governance every year, but certain factors will be relevant to
considerations at this stage:

 The organisation’s risk analysis should be reviewed every year to gain

assurance that it continues to be appropriate.
 The organisation’s oversight of sponsored bodies and the adequacy of
their governance, assurance and internal audit arrangements could be
an important component, particularly for a Ministry or Department.
 Within the risk, control and governance there may be certain high-risk
systems or processes that will need to be reviewed annually to deliver
the assurance required e.g. business critical projects, revenue generating
activities
 The overall coverage will need to encompass the whole range of risks
that has been identified as “key” to the achievement of the MDAs
objectives.
 An adequate range of non-key risks needs to be included in any year’s
coverage to demonstrate sufficient comprehensiveness of the opinion
(risks not defined as key still need to be given attention to gain
assurance that material adverse impacts are not arising).
 Cross-cutting risks and inter-departmental systems are likely to be
important areas of coverage. This may require aspects of joint planning

8|Page
 and coordination with management and auditors in the associated
MDAs.
 Current knowledge of the organisation’s risk management, control and
governance (including past external audit findings and
recommendations) will inform assessment of the likelihood of there
being (material) deficiencies which may require greater audit coverage.
 The adequacy of control exercised over contractors and service
providers will need to be assessed; and
 The audit coverage should also take account of significant centrally
driven developments to which organisations are required to respond.
These may include issues such as Information Assurance, Government
Accounting, Health and Safety, and Financial Management.

It should be kept in mind that the most effective audit coverage is gained by a
combination of strategic audits (is risk, control and governance well planned
and directed?) and operational audits (is risk management, control and
governance well executed?). The audit coverage should aim to address both
the question of how well control is planned and how well it operates in
practice.

In addition to consideration of existing risk, control and governance,

consideration should be given to the extent of change taking place or planned
to take place in the MDA. Any planned projects or developments impacting on
risk, control and governance should be encompassed in the strategy:

 Changing processes can be inherently riskier than established and

known processes.
 Identification of weaknesses in developing areas is more economical to
correct during development rather than after the process has been put
in place.

As well as the considerations above, internal audit should discuss the

assurance required with the principal stakeholders to help gauge the coverage
that will be required. Internal audit should work with them to help them to
maintain an assurance framework, indicating how they will derive the
respective assurance for each key risk.

9|Page
Audit Universe

These considerations will result in an ‘audit universe’. From this the audit work
to be done in any year to be developed, thus leading to the development of
annual audit plans.

Constraints

If the assurance required by the principal stakeholders is considered by the

HIAU as less than “positive and reasonable” the HIAU should discuss the
implications of this with the principal stakeholders, and if necessary record and
made clear the situation in any opinions provided by the HIAU. Conversely if it
is likely the internal audit unit will be unable for some reason to deliver such
assurance the HIAU should also discus and record the results and implications.
The Director IAD MOFED should be made aware in writing of any such
difficulties that arise in developing the internal audit strategy.

Resources

For each internal audit assignment identified, an estimate of the number of

staff days that will be required to conduct the work should be made. It is
important to allow adequate time for work to be done professionally and for
proper acquisition and evaluation of evidence.

The best resource for making these estimates is historic experience of how
long audit work takes to do.

The coverage and resources envisaged should be summarised in the internal

audit strategy

10 | P a g e
 4. Risk Assessing the Audit
Universe
From the earlier Chapter it is clear that the risk assessment and evolving
strategy must be built around the auditable units (audit universe).
An advantage of having an audit universe is that it enables the internal audit
function to be clear about the extent of audit coverage of key risks and other
risk areas each year. It can also provide a degree of rigour around areas not
being audited.
Objectives of risk assessing the audit universe
In the absence of a reliable risk assessment within the MDA the main
objectives of the internal audit risk assessment are to:
 Allocate limited internal audit resources to areas within the MDA that
are most critical to the success of achieving the MDAs objectives, goals,
deliverables etc – using risk as the basis of assessment;
 Increase internal audit efficiency and effectiveness by matching internal
audit resources/effort to risk in the identified auditable units.
Risk assessment process
A well-developed risk assessment model will provide an efficient and
systematic procedure to:
 Determine the potential auditable areas within the MDA;
 Measure risk in the auditable areas as high, medium or low;
 Rank the auditable areas by risk;
 Estimate the time necessary to undertake the audit;
 Distribute audit resources in the most efficient manner, and
 Develop a strategy and annual plans.
Examples of Risk Factors
The combination of factors used in an internal audit risk assessment may be
different for each MDA dependent upon the nature of the MDA operations.
However, the more common risk factors used by internal audit include:
 Significance of activity/function as an objective or goal of the MDA

11 | P a g e
  Materiality
 Potential for fraud, misuse or error
 Stability of system – new project, IT development,
 Control environment
 Assessment at last internal audit
 Potential for reputational damage
 Extent of computerisation
 External assessment e.g. Auditor General reports
 Resources
Risk rating
All of the identified auditable units within audit universe should be
rated(scored) for each of the risk factors that HIAU decides to use. There are
numerous methodologies for scoring, some complex which may well be
justified in banking or financial institutions, but if possible keep the rating
system simple but relevant, overall ‘fit for purpose’.
The following are two examples of simple risk ratings to use for each risk
factor:
 Risk Score 0 (low)
3 (medium low)
5 (medium)
7 (medium high)
9 (high)
 Risk Score 1 (low)
2 (medium)
3 (high)
Risk Rating and Prioritisation
For each auditable area in the audit universe the risk scores for all risk factors
are totalled to obtain a representative total impact and probability score for
each.
Once the total scores have been calculated the list of auditable units can be
sorted from the highest to lowest by their respective total risk score.
Then rank the audit universe based on the result of the risk assessment.

12 | P a g e
Audit Universe – HINTS
HINT 1 – There is an industry around risk management but generally, for public
sector internal audit purposes, risks can be divided into five groups:
 Strategic risks
 Operational risks
 Financial risks
 Information risks
 External risks
HINT 2 – Assessing resource requirements – minimum unit a day
HINT 3 – Make the resultant strategy/plan look good – professional
HINT 4 – YOU probably no more than others about risks within the MDA so BE
CONFIDENT with resultant strategy and plans.

13 | P a g e
 5. The Audit Toolbox
From the guidance given in previous Chapters, it can be seen that an effective
internal audit service for the MDA will require a range of techniques at its
disposal. The audit strategy should aim to set out which techniques will be
used in which circumstances.

The range of audit techniques will include:

 Systematic audit - A “full” audit in which every aspect and stage of the
audited subject is considered. It includes review of both the design and
operation of controls.
 Compliance audits - Where there is pre-existing confidence that controls
are well designed, but effective operation of the controls is a material
issue, audits that test only for effective operation of controls can be
appropriate e.g. payroll or revenue generating audits.
 Key control testing - A review clearly focussed on a small number of
material or key controls.
 Quality Assurance Review - Reviewing the approach and competency of
other reviewers rather than reviewing risks and controls direct. Designed
to form an opinion of the reliance that can be placed on the work of
others.
 Control and Risk Self-Assessment (CRSA) - A technique in which the
people who run a system or process review their own risks and controls,
usually with a facilitator from internal audit who ensures a structured
approach.
 Facilitating CRSA workshops serves as both an assurance technique and
a consultancy technique for internal audit.
 Systems Development Audit - Review of plans and designs for new
systems and processes aimed at providing assurance on controls being
designed into future systems and on the adequacy of the project/change
process

14 | P a g e
6. Identifying and procuring skills
and resources
The considerations given to the audit coverage will also reveal any need for
specialist resources in addition to staff the current internal audit staff within
MDAs. These additional skills may include accountants, lawyers, technical or
scientific specialists and specialist IT skills.

For these specialist resources it may not be good value to appoint full time in-
house staff. It may be necessary to consider how to procure these skills to the
extent to which they are required to deliver the audit strategy. If necessary,
appropriate call-off contracts should be set up or arrangements made for joint
working with specialists within the organisation. IAD MOFED should be
consulted when such specialist resources are required as it may be that the
resource can be drawn from another MDA to assist.

As well as planning for specialist skills, the strategy should plan for the ongoing
core audit skills that the MDA internal audit service requires. There should be a
“succession plan” to help identify forthcoming vacancies with a view to
promptly filling with appropriately qualified staff.

The strategy should also include comment on the internal audit functions
training and development needs to ensure that new staff are equipped with
requisite skills as early and as effectively as possible. It is also good
professional practice to consider how the “core” audit staff will maintain their
skills. In particular all core audit staff should be well trained in risk
management issues.

The long-term view of the work which needs to be done informs the
assessment of the number of audit staff required to deliver the internal audit
coverage required by the Vote Controller. Interpreting the estimate of staff
days required to deliver an effective audit service into a staffing plan also
needs to take account of:

 Supervision time – all audit work must, in the first instance be subjected
to appropriate quality management through review and supervision.

15 | P a g e
  Contingency time – allow an element of time to deal with unforeseen
issues (for example – the emergence of a new risk, or a request from the
Vote Controller or the Audit Committee).
 Training time – adequate time for training to ensure that staff are
competent in their work must be allowed.
 Follow-up time – adequate time must be allowed to review
management response to audit reports, and in particular in addressing
material weaknesses.
 Management and administrative time – allow sufficient time for
strategic management, liaison with the Audit committee, and for the
efficient administration of the internal audit function.

Any limitation on assurance caused by lack of resources should be advised to

the principal stakeholders and in writing to the Director IAD MOFED

16 | P a g e
 7. Quality Assurance
Quality Assurance is the subject of separate good practice guidance. However,
in order that the Vote Controller, Audit Committee and line managers can have
confidence in the internal audit service, the strategy should set out the key
elements of the quality assurance processes deployed by internal audit.

In particular the strategy should set out:

1 The way in which the internal audit service governs and controls itself.
 By reference to the Sierra Leone Public Sector Internal Audit Standards.
 By reference to guidance such as the Government Internal Audit
Manual.
 By reporting to the Audit Committee.
 By reporting to the Internal Audit Director MOFED

2 The key elements of supervision, for example.

 How junior staff are supervised.
 How work is reviewed.

3 The timetable planned for.

 Internal Quality Assurance Reviews. (To be discussed with IAD MOFED)

4 Work planned to improve the quality of internal audit services, for

example
 Training initiatives.
 Networking with other internal audit functions, public and private sector
 Acquisition of new IT audit tools.
 Action plans to follow up issues identified in previous quality assurance
reviews.

17 | P a g e
8. Finalising, Submitting and Selling
the Strategy
“To know and understand your customers so well that the product or
service fits and sells itself’
Peter Drucker management consultant whose writings contributed to the philosophical and practical
foundations of modern business.

Often the importance of finalising and submitting the internal audit strategy to
top management and the Audit Committee is overlooked by HIAUs. The final
product should capture the attention of Vote Controllers and Audit
Committees.

The strategy represents the HIAUs vision for the future of internal audit within
the MDA over the coming years. It should be a vehicle for taking the internal
audit function from the ‘back room’ to the ’board room’. The strategy
document should promote a quality, added value and professional internal
audit service that will be available to serve not only the Vote Controller and
the MDA but also the wider Sierra Leone public service.

There follow a few thoughts on how HIAUs might achieve impact with finalising
and selling the internal audit strategy:

 There is an Internal Audit Strategic Audit Plan Template at Annex C. The

template is a prompt as to the headings to use but HIAUs should adapt
and expand to suit the circumstances of the MDA.
 HIAUs should be creative giving thought to detail of the content,
support with colour, graphs and charts, photos – think of the strategy as
presenting YOUR business.
 A very important Section within the template is ‘Other Important
Information’ – HIAUs should use this to advantage – topics such as risks
to internal audit, training needs, resourcing issues, professional and
exam successes, horizon scanning could all be included within this
Section
 Highlight the value of the internal audit service to the Vote Controller
and the managers of the MDA. Create demand for your service!
 Overall keep the content to the minimum necessary and avoid too much
jargon, etc

18 | P a g e
 In taking forward the strategy – identify your ‘champions’ and your
‘challengers’ , then concentrate effort in turning your ‘challengers’ into
‘champions’.
 Team build continuously – involve the team at all stages of planning,
encourage continuous improvement – delegate!

19 | P a g e
9. Review of the Internal Audit
Strategic Plan
Similar to the strategic plan for the organization, the internal audit strategic
plan should be periodically reviewed and appropriately updated. The
frequency of review will be determined by the HIAU in conjunction with
discussions with the Vote Controller, Board and Audit Committee. Factors
influencing the frequency of reviews include (but are not limited to):

• Degree of the organization’s growth and assessment of organizational

maturity.
• Changes in the organization’s strategy.
• Degree to which the organization and its senior management rely upon the
internal audit activity’s independent assessment or support regarding the
management of organizational risks.
• Significant change in the availability of the internal audit activity’s resources.
• Significant change in laws or the volume of changes to organizational policies
and procedures.
• Degree of change in the organization’s control environment.
• Key changes in an organization’s leadership team and board of director
composition.
• Evaluation of how the internal audit activity has qualitatively or
quantitatively delivered on its strategic plan.
• Results of internal/external assessments of the internal audit activity.

20 | P a g e
ANNEX A - OPERATIONAL PROCEDURE: STRATEGIC AUDIT PLANNING

Background

Strategic audit planning is the process of identifying the key audit strategic
direction of the IAU for a three-year period. Its format and content shall be
agreed upon, and reviewed annually by the principal stakeholders and the
Head of Internal Audit Unit to take account of changing circumstances of
the MDAs.

Objective

A long term strategic plan is necessary because it is often impossible to audit

every aspect of every entity each year. It is therefore important to have a
plan that ensures that each system/procedure is audited at least once in the
three year cycle and to audit high risk areas more often, preferably once
every year. The purpose of the Strategic Audit Plan includes:

Identifying all the areas of MDA’s activity that require auditing over the three
year period.

Stating how the MDAs key internal control systems and risk management
processes will be reviewed.

Stating how the Internal audit service will be provided, and establishing the
resources and skills required for meeting audit objectives.

Assisting the overall control and direction of the work.

21 | P a g e
Procedure

Action by: Action:

Internal Audit Unit 1. Review the Mission Statement, values and objectives
of the MDAs.

2. Identify the audit universe (all auditable areas).

3. Assess risk in each activity area. (Risk assessment can

be carried out based on management’s own Risk
assessment’s procedures or on the internal auditors’
risk assessment process. The basis of the risk
assessment could include the internal auditor’s
cumulative knowledge from previous audits.

4. Request input from management using the

Management Input Memo (ANNEX B)

5. Prepare a pre-planning meeting with Senior

Management to discuss management’s needs and
expectations and risk identification process

6. Determine the total score for each activity. (The

total score determines the frequency of audit
coverage. Audits are assigned to one of three
frequency bandings: High (audited every year),
Medium (every other year) and Low (no more than
once every three years).
Head of Internal 7. Host a planning meeting with Senior Management
Audit Unit Panel.
Head of Internal 8. Calculate the number of auditor days available over
Audit Unit the coming 3 years.

9. Allocate the total auditor days.

10. Prepare and submit the Strategic Audit Plan for

approval by the AC and the Vote Controller.

22 | P a g e
 ANNEX B

OPERATIONAL PROCEDURE NOTE: STRATEGIC OPERATIONAL PLANNING

MANAGEMENT INPUT MEMO
Background

Management is responsible for establishing and maintaining internal controls

to achieve the objectives of effective and efficient operations, reliable
financial reporting, and compliance with applicable laws and regulations. In
the process of carrying out this responsibility, management may become
aware of areas of possible risk where it would want the IAU to review.

Objective

To seek input from management of the MDA and AC for possible areas of
risks, their likelihood or importance. The input received from management
and AC together with the long-term audit plan should serve as the basis in
arriving at the annual plan for the MDA.

Procedure
Action by: Action:
HIAU
 Send a letter or hold discussions with
management of the MDA and Audit
Committee (AC) requesting them to provide
the IAU with their audit needs
 Review the requests received from
management and identify the areas which
can be incorporated into the annual audit
plan. (The decision to include a request into
the audit plan should be based on risk
analysis, availability of audit staff, and other
inherent risk associated with the request).
 Communicate decision and basis for arriving
at the decision on which areas will be
included in the audit plan to management
and Audit Committee (AC)
 Document discussions in an Audit Needs
Assessment Working Paper file.

23 | P a g e
ANNEX C INTERNAL AUDIT STRATEGIC AUDIT PLAN TEMPLATE

INTERNAL AUDIT UNIT STRATEGIC AUDIT

PLAN
Version : 1 Date : September 2016

INTERNAL AUDIT UNIT

STRATEGIC AUDIT PLAN 20xx/20xx

1. Introduction and purpose of the strategy
THIS REPORT IS SUBMITTED IN ACCORDANCE WITH
1.1
1.2
1.3
OVERVIEW OF FUNCTIONS AND RESPONSIBILITIES OF THE MDA
1.4
1.5
KEY ASPECTS OF THIS STRATEGIC PLAN (RELATED TO THE METHODOLOGICAL ISSUES OF ITS
FORMATION)

1.6
1.7

2. Commentary on the 20xx/xx (last period) strategic and 20xx (the latest
completed) annual plan
2.1

2.2

3. Risk Analysis (Including risk assessment methodology)

4. Audit Coverage - Strategic Plan 20xx/xx and Annual Plan for 20xx
(ISSUES RELATED TO THE PROBLEMS AND SUBSTANCE OF AUDIT AREAS, AUDIT PERFORMANCE AND
ADMINISTRATION)

4.1

24 | P a g e
 4.2

Risk Yr1 Yr2 Yr3 Total in

Audit Areas score years
20xx 20xx 20xx

Administration /
General issues
(strategic objectives)

H 2 1 1 7

M 1 1 3

L 1 1

Procurement
management

Financial
Management

PR & Communication

System Review

Total audits/yr -

5. Auditable areas not covered in audit plan cycle (Including reasons for which
there will be no audit activities)

6. Audit reporting
6.1 ASSIGNMENT LEVEL

6.2 ORGANISATIONAL LEVEL

7. Staffing (Including training and professional development plans)

8. Other Important Issues (IF ANY)

8.1

25 | P a g e
9. Conclusion

9.1

HEAD INTERNAL AUDIT:

_________________________________________________

(NAME, SIGNATURE, DATE)

CONTACTS: ADDRESS, ROOM …

TEL., FAX

EMAIL

COPIES OF THIS DOCUMENT DISTRIBUTED TO:

____________________________________________

____________________________________________

____________________________________________

(NAME, TITLE, CONTACT INFO)

APPROVAL INSCRIPTIONS:

____________________________________________

____________________________________________

(NAME, TITLE, STAMP)

26 | P a g e